/
windows_sip_provider_inventory.yml
45 lines (45 loc) · 1.92 KB
/
windows_sip_provider_inventory.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
name: Windows SIP Provider Inventory
id: 21c5af91-1a4a-4511-8603-64fb41df3fad
version: 1
date: '2023-10-10'
author: Michael Haag, Splunk
status: production
type: Hunting
data_source: []
description: The following inventory analytic is used with a PowerShell scripted inputs to capture all SIP providers on a Windows system. This analytic is used to identify potential malicious SIP providers that may be used to subvert trust controls. Upon review, look for new and non-standard paths for SIP providers.
search: '`subjectinterfacepackage` Dll=*\\*.dll | stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter`'
how_to_implement: To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1
known_false_positives: False positives are limited as this is a hunting query for inventory.
references:
- https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1
tags:
analytic_story:
- Subvert Trust Controls SIP and Trust Provider Hijacking
asset_type: Endpoint
atomic_guid: []
confidence: 50
impact: 50
message: A list of SIP providers on the system is available. Review for new and non-standard paths for SIP providers on $host$.
mitre_attack_id:
- T1553.003
observable:
- name: host
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 25
required_fields:
- Path
- Dll
- host
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_inventory.log
source: powershell://SubjectInterfacePackage
sourcetype: PwSh:SubjectInterfacePackage